SlideShare a Scribd company logo
1 © Nokia Solutions and Networks 2015
Check_IMEI Misusage
Siddharth Rao / Silke Holtmanns / Ian Oliver / Tuomas Aura
21-08-2015
Public
2 © Nokia Solutions and Networks 2015
Agenda
Public
• Background of SS7 attacks
• Normal Check_IMEI procedure
• Assumptions
• Attack scenario description
• Summary
3 © Nokia Solutions and Networks 2015
• Telecommunication systems are vulnerable.
• Recent attacks
• Locate
• Trace/intercept
• Manipulate
Frauds
Illegitimate activities
• Core network Protocol
• Signaling System #7
Public
Motivation
4 © Nokia Solutions and Networks 2015
• Protocol foundation to enable roaming.
• Call establishment , management and release.
• Short Message Services (SMS).
• Supplementary services.
• Toll free numbers.
• Tele-voting.
• Enhanced Message Services (EMS).
• Local Number Portability (LNP).
Signaling System #7
Public
5 © Nokia Solutions and Networks 2015 Public
SS7 Attacks timeline
6 © Nokia Solutions and Networks 2015 Public
SS7 Attacks impact
7 © Nokia Solutions and Networks 2015 Public
Unblocking stolen mobile devices using
SS7-MAP vulnerabilities
Exploiting the relationship between IMEI and IMSI for EIR access
- Siddharth Rao, Dr. Silke Holtmanns, Dr. Ian Oliver, Dr Tuomas Aura
8 © Nokia Solutions and Networks 2015 Public
Normal IMEI (device ID) Check procedure
9 © Nokia Solutions and Networks 2015 Public
CheckIMEI ASN Structure
Contains only IMEI.
10 © Nokia Solutions and Networks 2015
• Attacker has a stolen phone which is blacklisted and he knows the IMSI
(Subsriber id) which was associated with it while blocking or last use by the
victim. The attacker does not need to have the original SIM as it is sufficient
to have just the IMSI.
• Attacker has access to SS7 network.
• The Global Title (GT, “SS7 name of a node”) of the Equipment Identity
Register (EIR) is required.
• Mobile Switching Center (MSC) GT might be needed (depending on operator
configuration).
• Feature and IMSI check options are enabled.
Public
Assumptions
11 © Nokia Solutions and Networks 2015
Users loose their phones and find it again, easy ”recovery” in EIR
wanted
 MSC sends IMEI (device id) along with IMSI (subscriber id) during
MAP_CHECK_IMEI.
 Initially the IMEI is checked to know the list it belongs to. If it is found
on the black list, an additional check of IMSI is made. If there is a
match between IMSI provisioned with IMEI in the EIR database (This is
the IMSI-IMEI pair in the EIR before the victim blocks his stolen
device.) with the IMSI found in MAP_CHECK_IMEI message then this
overrides the blacklist condition.
 Phone no longer blacklisted.
Public
Feature
12 © Nokia Solutions and Networks 2015 Public
Attack Scenario
13 © Nokia Solutions and Networks 2015 Public
CheckIMEI ASN Structure
Contains IMEI and IMSI !!!!
14 © Nokia Solutions and Networks 2015
1. A CHECK_IMEI* is received with IMEI = 12345678901234, and IMSI =
495867256894125.
2. An individual IMEI match is found indicating that the IMEI is on the
Black List.
3. Normally required response would be Black Listed, however; because
an IMSI is present in the message, and the IMEI is on the Black List,
the IMSI is compared to the IMSI entry in the database for this IMEI.
4. In this case, the IMSI in the RTDB matches the IMSI in the query, thus
the Black Listed condition is cancelled/overridden.
5. EIR formulates a CHECK_IMEI* response with Equipment Status = 0
whiteListed.
Public
Example
15 © Nokia Solutions and Networks 2015
• Stolen phones would have much higher value, if they are not blacklisted and can be sold
via ebay or simlar means.
Why should somebody do this?
Public
Source: http://www.wired.com/2014/12/where-stolen-smart-phones-go/
• 1 in 10 smart-phone owners are the
victims of phone theft.
• In United States, 113 phones per minute
are stolen or lost.
 $7 million worth of smart phones on
a daily basis.
16 © Nokia Solutions and Networks 2015 Public
EIR Coverage
Source: Farrell, G. (2015). Preventing phone theft and robbery: the need for government action and international coordination. Crime Science, 4(1), 1-11.
17 © Nokia Solutions and Networks 2015
• Attack has not been observed in real networks.
• Research was done on protocol level and publicly available
information.
• Not all EIRs affected.
• Business case exist for the attack.
• Easy to add ”Check_IMEI*” to the filter list of network internal
messages to stop this kind of attack before it appears in real.
Public
Summary
18 © Nokia Solutions and Networks 2015
THANK YOU
Public
Contact: siddharth.rao@aalto.fi
19 © Nokia Solutions and Networks 2015 Public
20 © Nokia Solutions and Networks 2015 Public
Copyright and confidentiality
The contents of this document are proprietary and
confidential property of Nokia Solutions and Networks.
This document is provided subject to confidentiality
obligations of the applicable agreement(s).
This document is intended for use of Nokia Solutions
and Networks customers and collaborators only for the
purpose for which this document is submitted by Nokia
Solution and Networks. No part of this document may
be reproduced or made available to the public or to any
third party in any form or means without the prior
written permission of Nokia Solutions and Networks.
This document is to be used by properly trained
professional personnel. Any use of the contents in this
document is limited strictly to the use(s) specifically
created in the applicable agreement(s) under which the
document is submitted. The user of this document may
voluntarily provide suggestions, comments or other
feedback to Nokia Solutions and Networks in respect of
the contents of this document ("Feedback"). Such
Feedback may be used in Nokia Solutions and Networks
products and related specifications or other
documentation. Accordingly, if the user of this
document gives Nokia Solutions and Networks Feedback
on the contents of this document, Nokia Solutions and
Networks may freely use, disclose, reproduce, license,
distribute and otherwise commercialize the feedback in
any Nokia Solutions and Networks product, technology,
service, specification or other documentation.
Nokia Solutions and Networks operates a policy of
ongoing development. Nokia Solutions and Networks
reserves the right to make changes and improvements
to any of the products and/or services described in this
document or withdraw this document at any time
without prior notice.
The contents of this document are provided "as is".
Except as required by applicable law, no warranties of
any kind, either express or implied, including, but not
limited to, the implied warranties of merchantability and
fitness for a particular purpose, are made in relation to
the accuracy, reliability or contents of this document.
NOKIA SOLUTIONS AND NETWORKS SHALL NOT BE
RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS
DOCUMENT or for any loss of data or income or any
special, incidental, consequential, indirect or direct
damages howsoever caused, that might arise from the
use of this document or any contents of this document.
This document and the product(s) it describes are
protected by copyright according to the
applicable laws.
Nokia is a registered trademark of Nokia Corporation.
Other product and company names mentioned
herein may be trademarks or trade names of their
respective owners.
© Nokia Solutions and Networks 2015

More Related Content

What's hot

Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
Alexandre De Oliveira
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
PositiveTechnologies
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
Karel Berkovec
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.
3G4G
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Alejandro Corletti Estrada
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
VoLTE Charging and Clearing Explained
VoLTE Charging and Clearing ExplainedVoLTE Charging and Clearing Explained
VoLTE Charging and Clearing Explained
Syniverse
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
P1Security
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
PositiveTechnologies
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
P1Security
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
Karel Berkovec
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
mhaviv
 
LTE KPI
LTE KPILTE KPI
LTE KPI
Sitha Sok
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sip
Vikas Shokeen
 
Roaming VAS (optimal routing)
Roaming VAS (optimal routing)Roaming VAS (optimal routing)
Roaming VAS (optimal routing)
Rawand Jaf
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
VoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack Explained
Vikas Shokeen
 
Volte troubleshooting
Volte troubleshootingVolte troubleshooting
Volte troubleshooting
Jamil Awan
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration Flow
Houman Sadeghi Kaji
 
Lte default and dedicated bearer / VoLTE
Lte default and dedicated bearer / VoLTELte default and dedicated bearer / VoLTE
Lte default and dedicated bearer / VoLTE
manish_sapra
 

What's hot (20)

Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
 
VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
 
VoLTE Charging and Clearing Explained
VoLTE Charging and Clearing ExplainedVoLTE Charging and Clearing Explained
VoLTE Charging and Clearing Explained
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest link
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
 
VoLTE Flows and CS network
VoLTE Flows and CS networkVoLTE Flows and CS network
VoLTE Flows and CS network
 
Ss7 Introduction Li In
Ss7 Introduction Li InSs7 Introduction Li In
Ss7 Introduction Li In
 
LTE KPI
LTE KPILTE KPI
LTE KPI
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sip
 
Roaming VAS (optimal routing)
Roaming VAS (optimal routing)Roaming VAS (optimal routing)
Roaming VAS (optimal routing)
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
 
VoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack ExplainedVoLTE Interfaces , Protocols & IMS Stack Explained
VoLTE Interfaces , Protocols & IMS Stack Explained
 
Volte troubleshooting
Volte troubleshootingVolte troubleshooting
Volte troubleshooting
 
IMS Registration Flow
IMS Registration FlowIMS Registration Flow
IMS Registration Flow
 
Lte default and dedicated bearer / VoLTE
Lte default and dedicated bearer / VoLTELte default and dedicated bearer / VoLTE
Lte default and dedicated bearer / VoLTE
 

Similar to Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities

Cybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentCybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile Environment
Hamilton Turner
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
EnclaveSecurity
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or loose
Bjørn Sloth
 
Mobisheild sales promotion presentation.
Mobisheild  sales promotion  presentation.Mobisheild  sales promotion  presentation.
Mobisheild sales promotion presentation.
Arijit Ghosh
 
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
NetMotion Wireless
 
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
Pôle Systematic Paris-Region
 
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdfSecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
Security Gen
 
Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020
tmbainjr131
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why	You’ll Care More About Mobile Security in 2020 - Tom BainWhy	You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
EC-Council
 
Government-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefGovernment-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefJonathan Reyes
 
Mobile Solutions and Privacy – Not One at the Expense of the Other
 Mobile Solutions and Privacy – Not One at the Expense of the Other Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Other
bradley_g
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
 
Zero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital AgeZero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital Age
Arnold Antoo
 
Mobility - Expect Connectivity Anywhere, Anytime
Mobility - Expect Connectivity Anywhere, AnytimeMobility - Expect Connectivity Anywhere, Anytime
Mobility - Expect Connectivity Anywhere, Anytime
Alcatel-Lucent Enterprise
 
Secur Digital Presentation 22jul10 Frm Show
Secur Digital Presentation 22jul10 Frm ShowSecur Digital Presentation 22jul10 Frm Show
Secur Digital Presentation 22jul10 Frm Showfmitchell
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
IBM Security
 
Cyber Security Education Materials.pptx
Cyber Security Education Materials.pptxCyber Security Education Materials.pptx
Cyber Security Education Materials.pptx
bentidiane21
 
2016 Public Safety Vision Strategy Direction - Avaya
2016 Public Safety Vision Strategy Direction - Avaya2016 Public Safety Vision Strategy Direction - Avaya
2016 Public Safety Vision Strategy Direction - Avaya
Mark Fletcher, ENP
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
Symantec
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Cellebrite
 

Similar to Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities (20)

Cybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentCybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile Environment
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or loose
 
Mobisheild sales promotion presentation.
Mobisheild  sales promotion  presentation.Mobisheild  sales promotion  presentation.
Mobisheild sales promotion presentation.
 
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
Frost & Sullivan The New Mobility: How Mobile Applications and Devices are Ch...
 
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
OSIS18_IoT : Securisation du reseau des objets connectes, par Nicolas LE SAUZ...
 
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdfSecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
 
Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020Why You'll Care More About Mobile Security in 2020
Why You'll Care More About Mobile Security in 2020
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why	You’ll Care More About Mobile Security in 2020 - Tom BainWhy	You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
 
Government-ForeScout-Solution-Brief
Government-ForeScout-Solution-BriefGovernment-ForeScout-Solution-Brief
Government-ForeScout-Solution-Brief
 
Mobile Solutions and Privacy – Not One at the Expense of the Other
 Mobile Solutions and Privacy – Not One at the Expense of the Other Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Other
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Zero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital AgeZero Trust: Redefining Security in the Digital Age
Zero Trust: Redefining Security in the Digital Age
 
Mobility - Expect Connectivity Anywhere, Anytime
Mobility - Expect Connectivity Anywhere, AnytimeMobility - Expect Connectivity Anywhere, Anytime
Mobility - Expect Connectivity Anywhere, Anytime
 
Secur Digital Presentation 22jul10 Frm Show
Secur Digital Presentation 22jul10 Frm ShowSecur Digital Presentation 22jul10 Frm Show
Secur Digital Presentation 22jul10 Frm Show
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Cyber Security Education Materials.pptx
Cyber Security Education Materials.pptxCyber Security Education Materials.pptx
Cyber Security Education Materials.pptx
 
2016 Public Safety Vision Strategy Direction - Avaya
2016 Public Safety Vision Strategy Direction - Avaya2016 Public Safety Vision Strategy Direction - Avaya
2016 Public Safety Vision Strategy Direction - Avaya
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
 
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: ...
 

Recently uploaded

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 

Recently uploaded (20)

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 

Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities

  • 1. 1 © Nokia Solutions and Networks 2015 Check_IMEI Misusage Siddharth Rao / Silke Holtmanns / Ian Oliver / Tuomas Aura 21-08-2015 Public
  • 2. 2 © Nokia Solutions and Networks 2015 Agenda Public • Background of SS7 attacks • Normal Check_IMEI procedure • Assumptions • Attack scenario description • Summary
  • 3. 3 © Nokia Solutions and Networks 2015 • Telecommunication systems are vulnerable. • Recent attacks • Locate • Trace/intercept • Manipulate Frauds Illegitimate activities • Core network Protocol • Signaling System #7 Public Motivation
  • 4. 4 © Nokia Solutions and Networks 2015 • Protocol foundation to enable roaming. • Call establishment , management and release. • Short Message Services (SMS). • Supplementary services. • Toll free numbers. • Tele-voting. • Enhanced Message Services (EMS). • Local Number Portability (LNP). Signaling System #7 Public
  • 5. 5 © Nokia Solutions and Networks 2015 Public SS7 Attacks timeline
  • 6. 6 © Nokia Solutions and Networks 2015 Public SS7 Attacks impact
  • 7. 7 © Nokia Solutions and Networks 2015 Public Unblocking stolen mobile devices using SS7-MAP vulnerabilities Exploiting the relationship between IMEI and IMSI for EIR access - Siddharth Rao, Dr. Silke Holtmanns, Dr. Ian Oliver, Dr Tuomas Aura
  • 8. 8 © Nokia Solutions and Networks 2015 Public Normal IMEI (device ID) Check procedure
  • 9. 9 © Nokia Solutions and Networks 2015 Public CheckIMEI ASN Structure Contains only IMEI.
  • 10. 10 © Nokia Solutions and Networks 2015 • Attacker has a stolen phone which is blacklisted and he knows the IMSI (Subsriber id) which was associated with it while blocking or last use by the victim. The attacker does not need to have the original SIM as it is sufficient to have just the IMSI. • Attacker has access to SS7 network. • The Global Title (GT, “SS7 name of a node”) of the Equipment Identity Register (EIR) is required. • Mobile Switching Center (MSC) GT might be needed (depending on operator configuration). • Feature and IMSI check options are enabled. Public Assumptions
  • 11. 11 © Nokia Solutions and Networks 2015 Users loose their phones and find it again, easy ”recovery” in EIR wanted  MSC sends IMEI (device id) along with IMSI (subscriber id) during MAP_CHECK_IMEI.  Initially the IMEI is checked to know the list it belongs to. If it is found on the black list, an additional check of IMSI is made. If there is a match between IMSI provisioned with IMEI in the EIR database (This is the IMSI-IMEI pair in the EIR before the victim blocks his stolen device.) with the IMSI found in MAP_CHECK_IMEI message then this overrides the blacklist condition.  Phone no longer blacklisted. Public Feature
  • 12. 12 © Nokia Solutions and Networks 2015 Public Attack Scenario
  • 13. 13 © Nokia Solutions and Networks 2015 Public CheckIMEI ASN Structure Contains IMEI and IMSI !!!!
  • 14. 14 © Nokia Solutions and Networks 2015 1. A CHECK_IMEI* is received with IMEI = 12345678901234, and IMSI = 495867256894125. 2. An individual IMEI match is found indicating that the IMEI is on the Black List. 3. Normally required response would be Black Listed, however; because an IMSI is present in the message, and the IMEI is on the Black List, the IMSI is compared to the IMSI entry in the database for this IMEI. 4. In this case, the IMSI in the RTDB matches the IMSI in the query, thus the Black Listed condition is cancelled/overridden. 5. EIR formulates a CHECK_IMEI* response with Equipment Status = 0 whiteListed. Public Example
  • 15. 15 © Nokia Solutions and Networks 2015 • Stolen phones would have much higher value, if they are not blacklisted and can be sold via ebay or simlar means. Why should somebody do this? Public Source: http://www.wired.com/2014/12/where-stolen-smart-phones-go/ • 1 in 10 smart-phone owners are the victims of phone theft. • In United States, 113 phones per minute are stolen or lost.  $7 million worth of smart phones on a daily basis.
  • 16. 16 © Nokia Solutions and Networks 2015 Public EIR Coverage Source: Farrell, G. (2015). Preventing phone theft and robbery: the need for government action and international coordination. Crime Science, 4(1), 1-11.
  • 17. 17 © Nokia Solutions and Networks 2015 • Attack has not been observed in real networks. • Research was done on protocol level and publicly available information. • Not all EIRs affected. • Business case exist for the attack. • Easy to add ”Check_IMEI*” to the filter list of network internal messages to stop this kind of attack before it appears in real. Public Summary
  • 18. 18 © Nokia Solutions and Networks 2015 THANK YOU Public Contact: siddharth.rao@aalto.fi
  • 19. 19 © Nokia Solutions and Networks 2015 Public
  • 20. 20 © Nokia Solutions and Networks 2015 Public Copyright and confidentiality The contents of this document are proprietary and confidential property of Nokia Solutions and Networks. This document is provided subject to confidentiality obligations of the applicable agreement(s). This document is intended for use of Nokia Solutions and Networks customers and collaborators only for the purpose for which this document is submitted by Nokia Solution and Networks. No part of this document may be reproduced or made available to the public or to any third party in any form or means without the prior written permission of Nokia Solutions and Networks. This document is to be used by properly trained professional personnel. Any use of the contents in this document is limited strictly to the use(s) specifically created in the applicable agreement(s) under which the document is submitted. The user of this document may voluntarily provide suggestions, comments or other feedback to Nokia Solutions and Networks in respect of the contents of this document ("Feedback"). Such Feedback may be used in Nokia Solutions and Networks products and related specifications or other documentation. Accordingly, if the user of this document gives Nokia Solutions and Networks Feedback on the contents of this document, Nokia Solutions and Networks may freely use, disclose, reproduce, license, distribute and otherwise commercialize the feedback in any Nokia Solutions and Networks product, technology, service, specification or other documentation. Nokia Solutions and Networks operates a policy of ongoing development. Nokia Solutions and Networks reserves the right to make changes and improvements to any of the products and/or services described in this document or withdraw this document at any time without prior notice. The contents of this document are provided "as is". Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation to the accuracy, reliability or contents of this document. NOKIA SOLUTIONS AND NETWORKS SHALL NOT BE RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS DOCUMENT or for any loss of data or income or any special, incidental, consequential, indirect or direct damages howsoever caused, that might arise from the use of this document or any contents of this document. This document and the product(s) it describes are protected by copyright according to the applicable laws. Nokia is a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade names of their respective owners. © Nokia Solutions and Networks 2015